On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics:

  1. Promoting Information Sharing for Treatment and Care Coordination

First, in the RFI, OCR expresses concern about the fact that the Privacy Rule does not currently include a deadline or requirement to disclose records when requested by another health care provider or other covered entity for purposes of coordinating care or managing cases. OCR highlights that the lack of such a requirement “can lead to circumstances where records are not transferred between covered entities (or from a covered entity to another health care provider) in a timely fashion to the detriment of coordinated care and/or case management” (e.g., when a patient switches medical providers and their new provider requests the transfer of records from the previous provider). Therefore, OCR seeks public comment on the scope of this issue and whether revisions to the Privacy Rule can be made to promote the timely transfer of PHI for care coordination and case management purposes.

Second, OCR explains that, although disclosures to or requests by health care providers for treatment purposes, including care coordination and case management, are excepted from the Privacy Rule’s minimum necessary requirement, there is no such exception for disclosures of PHI to non-provider covered entities for care coordination and/or case management. Thus, OCR seeks public comment on whether “disclosures of PHI to non-provider covered entities for care coordination and/or case management as part of treatment, and/or health care operations, should be excepted from the minimum necessary standard, and if so, to what extent.”

Third, OCR explains that, despite the fact that the Privacy Rule currently permits health care providers to disclose information to non-covered entities for care coordination/treatment management purposes, some covered entities have been reluctant to do so for fear of violating HIPAA. OCR, therefore, requests public comment on whether “an express regulatory permission should be created for HIPAA covered entities to disclose PHI to social service agencies or community-based support programs.” Furthermore, OCR seeks input on whether there should be requirements or conditions on this regulatory permission (e.g., a requirement that an agreement similar to a BAA be in place).

  1. Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness

Recognizing the need to address the current opioid crisis and the number of individuals suffering from a serious mental illness, OCR states in the RFI that it is “considering a separate rulemaking that would seek to encourage covered entities to share PHI with family members, caregivers, and others in a position to avert threats of harm to health and safety, when necessary to promote the health and recovery of those struggling with substance use disorder” and/or a serious mental illness. OCR is requesting public input on whether certain changes should be made to the Privacy Rule in order to increase the ability of family members and caregivers to access the records of individuals with substance use disorders or mental health issues, including potential revisions to the Privacy Rule’s current deference to state law with respect to the authority of a person to act as a personal representative of an individual in making decisions related to their health care.

  1. Accounting of Disclosures

In the RFI, OCR notes that, although the Privacy Rule currently excludes certain disclosures from the accounting of disclosures requirement, including disclosures made for treatment, payment, and health care operations purposes (“TPO”), “section 13405(c) of the HITECH Act directs [OCR] to modify the Privacy Rule to require that an accounting of disclosures include disclosures made for TPO purposes through an electronic health record during the three years before the request.” In 2011, OCR issued a Notice of Proposed Rulemaking (“NPRM”) to implement the HITECH Act requirement and received public feedback that its proposal to require covered entities to provide individuals with an access report showing who had accessed the information in an individual’s electronic designated record set would “create undue burden for covered entities without providing meaningful information to individuals.” As a result, OCR states in the RFI that it intends to withdraw the 2011 NPRM and seek new information on how OCR can implement the HITECH requirement.

  1. Notice of Privacy Practices

Lastly, OCR seeks public comment on whether the current Privacy Rule provision that requires covered providers to make a good faith effort to obtain written acknowledgement of an individual’s receipt of the provider’s Notice of Privacy Practices (“NPP”) “should be eliminated to reduce the burden on providers and to free up time and resources for providers to spend on treatment and care coordination.” OCR also seeks input on other ways the NPP requirements may be modified to alleviate the administrative burden on covered entities without compromising transparency of the provider’s privacy practices or the individual’s awareness of his or her rights.

The RFI includes a series of 54 detailed questions on a wide range of issues related to the four aforementioned topics. The OCR press release regarding the RFI is available here.

Our take:

All interested parties should review the questions in the RFI and consider submitting responses, as this is a great opportunity for stakeholders to help shape the health care privacy regulatory framework. Several of the questions seek information regarding the technical limitations of existing, commonly used EHR systems and the current administrative burden on HIPAA entities with respect to fulfilling the right of access obligations, which are common areas of concern. Comments are due by February 12, 2019.